Description of problem: I installed Fedora 19 Beta RC2 to both local disks and iSCSI disks. The iSCSI services failed on the first boot due to SELinux. A number of AVCs were in the audit logs (see attached). The output of audit2allow: [root@localhost ~]# grep iscsi /var/log/audit/audit.log | audit2allow -M iscsi [root@localhost ~]# cat iscsi.te module iscsi 1.0; require { type iscsid_t; type var_lock_t; type modules_object_t; type modules_conf_t; class dir { read search open getattr }; class file { read write getattr link unlink open }; } #============= iscsid_t ============== allow iscsid_t modules_conf_t:dir { read getattr open }; allow iscsid_t modules_object_t:dir search; allow iscsid_t modules_object_t:file { read getattr open }; allow iscsid_t var_lock_t:file { read write unlink link open }; SELinux is preventing /usr/sbin/iscsid from read, write access on the file lock. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that iscsid should be allowed read write access on the lock file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep iscsid /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:iscsid_t:s0 Target Context system_u:object_r:var_lock_t:s0 Target Objects lock [ file ] Source iscsid Source Path /usr/sbin/iscsid Port <Unknown> Host (removed) Source RPM Packages iscsi-initiator-utils-6.2.0.873-5.fc19.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-44.fc19.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 3.9.2-301.fc19.x86_64 #1 SMP Mon May 13 12:36:24 UTC 2013 x86_64 x86_64 Alert Count 3 First Seen 2013-05-22 17:16:39 CDT Last Seen 2013-05-22 17:21:40 CDT Local ID d42a5bec-00f8-49fa-a3e9-2d847e41a6df Raw Audit Messages type=AVC msg=audit(1369261300.71:360): avc: denied { read write } for pid=862 comm="iscsid" name="lock" dev="tmpfs" ino=15030 scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file type=AVC msg=audit(1369261300.71:360): avc: denied { open } for pid=862 comm="iscsid" path="/run/lock/iscsi/lock" dev="tmpfs" ino=15030 scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file type=SYSCALL msg=audit(1369261300.71:360): arch=x86_64 syscall=open success=yes exit=EBADF a0=44c119 a1=42 a2=1b6 a3=0 items=0 ppid=1 pid=862 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=iscsid exe=/usr/sbin/iscsid subj=system_u:system_r:iscsid_t:s0 key=(null) Hash: iscsid,iscsid_t,var_lock_t,file,read,write audit2allow #============= iscsid_t ============== allow iscsid_t var_lock_t:file { read write open }; audit2allow -RYou must regenerate interface info by running /usr/bin/sepolgen-ifgen Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.2-301.fc19.x86_64 type: libreport Potential duplicate: bug 816361
Created attachment 751925 [details] File: audit.log.xz
Please execute # chcon -R -t iscsi_lock_t /run/lock/iscsi I believe this is a bug which was caused by older policy and should be fixed now.